Lecture Notes for Operating Systems

================ Start Lecture #20 ================

Note: Please be sure that your labs are unique individual efforts. You may work together, but the labs you submit should be your own.

Consistency

Fsck (file system check) and chkdsk (check disk)
- If the system crashed, it is possible that not all metadata was written to disk. As a result the file system may be inconsistent. These programs check, and often correct, inconsistencies.
- Scan all inodes (or fat) to check that each block is in exactly one file, or on the free list, but not both.
- Also check that the number of links to each file (part of the metadata in the file's inode) is correct (by looking at all directories).
- Other checks as well.
- Offers to ``fix'' the errors found (for most errors).
``Journaling'' file systems (not on 202 exams)
- An idea from database theory (transaction logs).
- Eliminates the need for fsck.
- NTFS has had journaling from day 1.
- Many Unix systems have it. IBM's AIX converted to journaling in the early 90s.
- Linux distributions do not yet have journaling, a serious shortcoming. It is under active development and experimental versions are available.
- FAT does not have journaling.

4.3.6 File System Performance

Buffer cache or block cache

An in-memory cache of disk blocks.

Demand paging again!
Clearly good for reads as it is much faster to read memory than to read a disk.
What about writes?
- Must update the buffer cache (otherwise subsequent reads will return the old value).
- The major question is whether the system should also update the disk block.
- The simplest alternative is write through in which each write is performed at the disk before it declared complete.
  - Since floppy disk drivers adopt a write through policy, one can remove a floppy as soon as an operation is complete.
  - Write through results in heavy I/O write traffic.
    - If a block is written many times all the writes are sent the disk. Only the last one was ``needed''.
    - If a temporary file is created, written, read, and deleted, all the disk writes were wasted.
  - DOS uses write-through
- The other alternative is write back in which the disk is not updated until the in-memory copy is evicted (i.e., at replacement time).
  - Much less write traffic than write through.
  - Trouble if a crash occurs.
  - Used by Unix and others for hard disks.
  - Can write dirty blocks periodically, say every minute. This limits the possible damage, but also the possible gain.
  - Ordered writes. Do not write a block containing pointers until the block pointed to has been written. Especially if the block pointed to contains pointers since the version of these pointers on disk may be wrong and you are giving a file pointers to some random blocks.--unofficial for 202
Research in ``log-structured'' file systems tries to make all writes sequential (i.e., writes are treated as if going to a log file).--unofficial

Homework: 12.

4.4: Security

Very serious subject. Could easily be a course in itself. My treatment is very brief.

4.4.1: Security environment

Accidental data loss
- Fires, floods, etc.
- System errors.
- Human errors.
Intruders
- Sadly an enormous problem.
- The NYU ``greeting'' no longer includes the word ``welcome'' since that was somehow interpreted as some sort of license to break in.
- Indeed, the greeting is not friendly.
- It once was.
- Below I have a nasty version from a few years ago.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           WARNING:  UNAUTHORIZED PERSONS ........ DO NOT PROCEED
           ~~~~~~~   ~~~~~~~~~~~~~~~~~~~~          ~~~~~~~~~~~~~~
 This computer system is operated by New York University (NYU) and may be
 accessed only by authorized users.  Authorized users are granted specific,
 limited privileges in their use of the system.  The data and programs
 in this system may not be accessed, copied, modified, or disclosed without
 prior approval of NYU.  Access and use, or causing access and use, of this
 computer system by anyone other than as permitted by NYU are strictly pro-
 hibited by NYU and by law and may subject an unauthorized user, including
 unauthorized employees, to criminal and civil penalties as well as NYU-
 initiated disciplinary proceedings.  The use of this system is routinely
 monitored and recorded, and anyone accessing this system consents to such
 monitoring and recording.  Questions regarding this access policy or other
 topics should be directed (by e-mail) to comment@nyu.edu or (by phone) to
 212-998-3333.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Privacy
- An enormously serious (societal) subject.

4.4.2: Famous flaws

Good bathroom reading.
Trojan horse attack: Planing a program of your choosing in place of a well known program and having an unsuspecting user execute it.
Some trivial examples:
1. Install a new version of login that does everything normal, but then mails the username and plaintext password to gottlieb@nyu.edu.
2. Put a new version of ls in your home directory and ask the sysadmin for help. ``Hopefully he types ls while in your directory and has . early in his path''.

4.4.3: The internet worm

A worm divides itself and sends one portion to another machine.
Different from a virus (see below).
The famous internet (Morris) worm exploited silly bugs in unix to crack systems automatically.
Specifically, it exploited careless use of gets(), which does not check the length of its argument.
Attacked Sun and Vax unix systems.
NYU was hit hard; but not our lab, which had IBM RTs.

4.4.4: Generic Security attacks

Viruses

A virus attaches itself to (``infects'') a part of the system so that it remains until explicitly removed. In particular, rebooting the system does not remove it.
Attaches itself to an existing program or to a portion of the disk that is used for booting.
When the virus is run it tries to attach itself to other files.
Often implemented the same was as a binary patch: Change the first instruction to jump to somewhere where you put the original first instruction, then your patch, then a jump back to the second instruction.

4.4.5: Design principles for security

4.4.6: User authentication

Passwords

Software to crack passwords is publically available.
Use this software for prevention.
One way to prevent cracking passwords is to use instead one time passwords: e.g. SecurId.
Current practice here and elsewhere is that when you telnet to a remote machine, your password is sent in the clear along the ethernet.
So maybe .rhosts aren't that bad after all.

Physical identification

Opens up a bunch of privacy questions. For example, should we require fingerprinting for entering the subway?

Homework: 15, 16, 19, 24.

4.5: Protection mechanisms

4.5.1: Protection domains

We distinguish between Objects, which are passive, and subjects, which are active.
For example, processes (subjects) examine files (objects).
Protection domain: A collection of (object, rights) pairs.
At any given time a subject is given a protection domain that specifies its rights.
In Unix a subject's domain is determined by its (uid, gid) (and whether it is in kernel mode).
Generates a matrix called the protection or permission matrix.
- Each row corresponds to a domain (i.e. a subject at some time).
- Each column corresponds to an object (e.g., a file or device).
- Each entry gives the rights the domain/subject has on this object.
Can model Unix suid/sgid by permitting columns whose headings are domains and the only right possible in the corresponding entries is entry. If this right is present, the subject corresponding to the row can s[ug]id to the new domain, which corresponds to the column.--unofficial.

4.5.2: Access Control Lists (ACLs)

Keep the columns of the matrix separate and drop the null entries.

4.5.3: Capabilities

Keep the rows of the matrix separate and drop the null entries.

4.5.4: Protection models

Give objects and subjects security levels and enforce:

A subject may read only those objects whose level is at or below her own.
A subject may write only those objects whose level is at or above her own.

4.5.5: Covert channels

The bad guys are getting smart and use other means extracting supposedly protected information.

For example give good service for a zero and bad for a one.
The figure of merit for the protection system is the rate at which bits can be sent, i.e. the bandwidth of the covert channel. Lower is better (from the view of the good guys).

Homework: 20.